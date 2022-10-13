A decentralized exchange (DEX) on the Solana (SOL) blockchain, Mango Markets, says an attacker took off with crypto assets worth tens of millions of dollars following an exploit on the platform.

Mango Markets claims that an attacker manipulated the price of its utility token, Mango (MNGO), upwards within minutes before borrowing and withdrawing crypto assets worth approximately $100 million.

According to the Solana-based DEX, the attacker initiated the price manipulation by funding two accounts with the USDC stablecoin and then buying an “outsized position” in the derivative of Mango Markets’ utility token, MNGO-PERP.

Mango Markets says that the price of its utility token then surged, a fact that was registered by Solana’s on-chain data feed providers Switchboard and Pyth.

Once the value of MNGO had exploded, Mango Markets says that the attacker then borrowed the highest amount possible using the unrealized profit from his long position in the utility token as collateral. The attacker withdrew the loot in Bitcoin (BTC), Solana (SOL) as well as the USDC and USDT stablecoins.

“Two accounts funded with USDC took an outsized position in MNGO-PERP.

Underlying MNGO/USD prices on various exchanges (FTX, Ascendex) experienced a 5-10x price increase in a matter of minutes.

This led to Switchboard and Pyth oracles updating their MNGO benchmark price to above $0.15.

This further caused a mark-to-market increase in the value of the account that was long MNGO-PERP from the unrealized profit.

Which allowed the account to borrow and withdraw BTC (sollet), USDT, SOL, mSOL, USDC out of the Mango protocol.

This maxed out the borrows available from the $190Million equivalent deposits on the platform.

The net value extracted by the account was around $100 million equivalent at the time.”

Mango Markets has listed its priorities are to prevent further unnecessary losses, make sure the depositors of Mango are made whole and to try to salvage value and rebuild the protocol.

